Cloudflare parser bug exposes private data of several websites

Cloudflare has revealed the presence of a bug within an HTML parser that has put sensitive data of a large number of websites at risk. The flaw is likely to have majorly impacted the Web world, as the content delivery network already backs more than five million websites.

First spotted by Google’s Project Zero researcher Tavis Ormandy, the bug has affected several leading websites including Medium, Uber, Yelp and Zendesk. While Ormandy found the flaw on February 17, it appears to exist on the cloud service since September 22, 2016, when the Cloudflare built new parser “cf-html” after shifting from a Ragel-based HTML parser.

Fixed but impact exists

Though the bug has now been fixed by Cloudflare engineers, one in every 3,300,00 HTTP requests to Cloudflare sites is likely to have caused data to be exposed.

“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” said Ormandy in a detailed note.

Following the receipt of a tweet by Ormandy alerting about the bug, Cloudflare’s teams in the US and UK released a fix. The San Francisco-based company had also reach search engines such as Google, Bing and Yahoo to remove the leaked data from their cache records manually.

“Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses,” Cloudflare writes in a blog post.